EUCEUC: Horizon Integrations 2020/21Day 2Federating BambooHR with WorkspaceONE Access

Federating BambooHR with WorkspaceONE Access


In this section, we will be leveraging a public application BambooHR to demonstrate successful Federation of a SaaS application with Workspace ONE Access as an Identity Provider.

Its also comes as a native application for Android and IOS and will be useful when testing Mobile SSO for Android

Pre-requisites to this LAB

You need to have two accounts

  1. Your Admin account that will hold a valid email address
  2. Your custom test account your created at the beginning of the course that has an email address


Note: Images precedes the steps

Part 1: Adding BambooHR to the  Workspace ONE Access Catalog

  1. To enable single sign-on to BambooHR on the service, you must configure the application in the catalog and copy the SAML-signing certificate to BambooHR.
    • Add BambooHR to the Catalog
      1. Log in to the Workspace ONE Access administration console.
      2. In the Catalog page, select NEW
      3. In the New SaaS Application wizard under Search type BambooHR.
      4. Select the BambooHR icon.
      5. Select NEXT
  1. In the Configuration section of the New Saas Application Wizard
  • Under Single Sign-ON URL append the first letter of your city and country two letter abbreviation  + student RDP IP last Octet  Number eg.
    • If you live in Rotterdam Netherlands and your IP address end with 35, then you could come up with a Unique domain. It has to be unique. This is one approach we could follow.
    • Under Recipient URL append your domain name ie Utrecht35 to the FQDN
  • Please remember to document this in your custom accounts in the Horizon Datasheet provided
  1. In the  Application Parameters area
    • Under Value, type in your Singular domain name
      • Note! If your FQDN is going to be then under Value type rnl35
      • Select Next
    • On the Access Policies page
      • Select NEXT
    • On the Summary page
      • Select SAVE & ASSIGN
    • Under Users / User Groups
      • Type and select Marketing
    • Under Deployment Type,
      • Select Automatic
      • Ensure Include is selected under Entitlement Type (Default)
    • Select SAVE
  1. Download SAML-Signing Certificate
    • We need to download the SAML-signing certificate from the Workspace ONE Access service for the BambooHR configuration.
      • In the Catalog > Settings tab, click SAML Metadata.
      • Under Signing Certificate text select DOWNLOAD.
      • Open a .txt  editor and copy Make sure that you include text from -----BEGIN CERTIFICATE---- through ---------END CERTIFICATE-----.

Part 2. Setting up BambooHR

  1. We start off by registering a trial account with BambooHR, next we will federate BambooHR with Workspace ONE Access
    • Open up a browser use the following URL
      • As part of Step 1
      • Add your
        • First Name: "Your" First Name
        • Last Name: "Your" Last Name
        • Work EMAIL: Add an email
        • Work Phone: Add a phone number
      • Select Just One More!
  1. As part of Step 2 complete your registration information Next to
    • Company Name: Livefire
    • Number employees : select a number
    • Country : your choice. e.g. Netherlands
  • Select Just One More!
  1. As part of Step 3 complete your registration information
    • Under
      • Select Edit
    • Under BAMBOOHR DOMAIN, enter
      • your custom domain
    • Under PASSWORD
      • Enter VMware1!
    • Select Generate Your Account


  • Again, make 100% sure you have documented the  new admin UrL, username, password and email address used to register this account
  1. In the BambooHR page
    • Select Open Your Account
    • Enter your with your email address and password
    • Select Log In
    • On the Welcome page select Cancel
  1. Configuring the Single-Sign ON settings in BambooHR
    • On the Home Page look to the right and select the Cog wheel Icons for Settings
  1. Under Settings
    • Select Apps
    • In the Apps Settings page scroll down until you see the red SAML icon
    • Select the Install option next it.
  1. In the SAML Single Sign-On Settings window enter the following:-
    • Under SSO Login URL* : enter your Workspace ONE Access URL in the following format
      • e.g.
    • x509 Certificate: copy the entire content of your signing certificate downloaded in Part 1
      • Include text from -----BEGIN CERTIFICATE---- through ---------END CERTIFICATE-----.
      • Select Install
  1. Setting an Identical custom test User account
    • Select the People tab.
      • Select New Employee.
    • In the Heads Up! page
      • Select Add Anyway
  1. In the Add Employee window add the identical information to what you added at the beginning of the course from your active directory,
    • NB! Matching email address information identical to your Active Directory
      • If necessary double-check your info in Active directory
      • Allow Access to BambooHR is selected
        • Select Employees UK or an alternative
    • Select Save
  1. Testing with your custom user account
    • In Chrome, open up another browser and use the Incognito mode option or open an alternate browser like Mozilla Firefox
    • Type your e.g.
    • On the Select your domain, ensure is selected and select Next
    • On the Workspace ONE Access login type your custom account username and Password and select Sign in
    • On the Surprise page , select Okay, got it
    • Close down the default access prompts and observe that your custom now has access to BambooHR with password based authentication from a Web Browser

In later exercises will use the Native application to provide a single-sign on experience and understand the specifics related to authentication that might be required to fulfill from a platform but also the application perspective

About the Author

About the Author Reinhart Nel

For any questions please email Reinhart at [email protected]


Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.